InfoSec Handlers Diary Blog

Sadly you won't need a surf board for this one. Just to give you a
heads up, there is a new round of emails with malicious links that is
making its way to the inbox of many folks. If you haven't gotten one
yet, just give it time. Here is quick summary of what we have found.

The subject line that we have gotten examples
of have all been identical. You may have gotten something else.

"Subject: You've received a postcard from a family member!"

The following is an excerpt from the email body. (WARNING: Do NOT
FOLLOW THE LINKs below UNLESS YOU KNOW WHAT YOU ARE DOING!!)

--------
OPTION 1
--------

Click on the following Internet address or
copy & paste it into your browser's address box.

http://200.82.187 .228/?08a823e96272575cbc68911e6c36a4

--------
OPTION 2
--------

Copy & paste the ecard number in the "View Your Card" box at
http://200.82.187 .228/

The website has an interesting javascript that appears to have multiple ways to exploit a browser in order to compromise a system. If javascript is enabled, then you get:

MD5 (tm.exe) = 07276fce39282fd182757d2557f9eca7 which is a downloader that gets this:

MD5 (logi.exe) = 4aa22564a0b886226d8cf14456a598ab

If javascript is disabled, then they provide you a handy link to click on to exploit yourself and you get

MD5 (ecard.exe) = 30051dc10636730e4d6402ef8e88fd04.

Here is what a user would see:

"We are currently testing a new browser feature. If you are not able to
view this ecard, please click here (/ecard.exe) to view in its original format."

Here is a listing of just a handful of the 10s to 100s of thousands of
infected home systems. Every storm infected system is potentially
capable of hosting the malware and sending the SPAM, but only a few will
be used in any given SPAM run depending on how many emails they want
sent and how many web hits they're expecting. You will notice the
Country/Network diversity and the predominance of broadband providers
(data courtesy of Team Cymru)

Our testing hasn't resulted in a secondary malware download by ecard.exe yet.
However here are two malicious URLs on this IP reported via Castlecops in May
(http://www.castlecops.com/p945429-omega_it_ru.html)

This IP may look familiar to many. Its been doing its bad thing since at least December, 2006.
And here are a number of domains mapped to this IP that might look familiar
2007postcards.com
jokeonlineworld.com
practicaljokeonline.com
postcardsbargain.com
freewebpostcards.com
mailfreepostcards.com
ecolorpostcards.com